Legal claims defining the scope of protection, as filed with the USPTO.
1. A computer-implemented method comprising: obtaining an advertised network path within an autonomous system, the advertised network path comprising a set of digital signatures corresponding to other autonomous systems corresponding to the advertised network path; identify a set of network paths to egress from the autonomous system; perform, using the set of network paths, a Shortest Path First (SPF) calculation to determine a set of costs; determining a second network path to egress from the autonomous system, the second network path corresponding to an ordering of network devices within the autonomous system and the second network path is selected from the set of network paths based on the set of costs; obtaining validation tokens of the network devices; generating, using the validation tokens and the ordering of network devices, a validation token nest; adding, as an attribute within the second network path, a reference to the validation token nest; and advertising the second network path to the network devices in the autonomous system.
2. The computer-implemented method of claim 1 , wherein the validation tokens specify references to Media Access Control Security (MACsec) sessions among the network devices according to the ordering of the network devices.
3. The computer-implemented method of claim 1 , wherein obtaining the validation tokens of the network devices comprises: obtaining Border Gateway Protocol Link-State (BGP-LS) information from one or more network devices within the autonomous system; and generating, using the BGP-LS information, the validation tokens of the network devices.
4. The computer-implemented method of claim 1 , further comprising: receiving a request to obtain the validation tokens corresponding to the second network path, the request specifying an identifier of the validation token nest; identifying, based on the identifier, the validation tokens; and providing the validation tokens to fulfill the request.
5. The computer-implemented method of claim 1 , wherein the second network path is advertised via a Border Gateway Protocol (BGP) update message.
6. The computer-implemented method of claim 1 , wherein the reference is a digitally signed hash corresponding to the validation token nest.
7. A system, comprising: one or more processors; and memory including instructions that, as a result of being executed by the one or more processors, cause the system to: obtain a message specifying an advertised network path within an autonomous system; identify a set of network paths to egress from the autonomous system; perform, using the set of network paths, a Shortest Path First (SPF) calculation to determine a set of costs; determine a second network path to egress from the autonomous system from the set of network paths based on the set of costs; obtain a set of validation tokens corresponding to network devices of the autonomous system, the network devices being associated with the second network path; generate, using the set of validation tokens based on an ordering of the network devices within the second network path, a validation token nest of the second network path; add a reference to the second network path corresponding to the validation token nest; and advertise the second network path to the network devices of the autonomous system.
8. The system of claim 7 , wherein the instructions further cause the system to: obtain forwarding tables of the network devices, the forwarding tables including attestation information of the network devices; and utilize the attestation information to generate the set of validation tokens.
9. The system of claim 8 , wherein the forwarding tables are obtained using BGP-LS, the BGP-LS including one or more Type Length Value (TLV) information elements corresponding to the attestation information.
10. The system of claim 8 , wherein the attestation information specifies references to MACsec sessions among the network devices according to the ordering of the network devices.
11. The system of claim 7 , wherein the instructions further cause the system to: obtain a request to obtain the set of validation tokens, the request specifying an identifier of the validation token nest; identify, based on the identifier of the validation token nest, a storage location of the set of validation tokens; and provide location information to allow access to the storage location to obtain the validation tokens.
12. The system of claim 7 , wherein the instructions that cause the system to advertise the second network path to the network devices of the autonomous system further cause the system to transmit, to the network devices of the autonomous system, a BGP update message specifying the second network path.
13. A non-transitory computer-readable storage medium storing thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to: obtain an advertised network path within an autonomous system; identify a set of network paths to egress from the autonomous system; perform, using the set of network paths, a Shortest Path First (SPF) calculation to determine a set of costs; identify a second network path to egress from the autonomous system, the second network path corresponding to an ordering of network devices within the autonomous system and the second network path is selected from the set of network paths based on the set of costs; obtain a set of validation tokens of the network devices; generate, using the set of validation tokens and based on the ordering of network devices, a validation token nest corresponding to the second network path; and transmit, to the network devices, the second network path, the second network path specifying an attribute corresponding to the validation token nest.
14. The non-transitory computer-readable storage medium of claim 13 , wherein the executable instructions further cause the computer system to: obtain, from the network devices, a set of forwarding tables, the set of forwarding tables including attestation information of the network devices; and use the attestation information to generate the set of validation tokens.
15. The non-transitory computer-readable storage medium of claim 13 , wherein the attribute is a digitally signed hash that corresponds to the validation token nest and the second network path.
16. The non-transitory computer-readable storage medium of claim 15 , wherein the set of validation tokens include evidence of a set of MACsec sessions among the network devices in accordance with the ordering.
17. The non-transitory computer-readable storage medium of claim 13 , wherein the executable instructions further cause the computer system to: obtain a request to obtain the validation tokens, the request specifying an identifier of the validation token nest; identify, based on the identifier, a storage location of the validation tokens; and obtain the validation tokens from the storage location to provide the validation tokens in response to the request.
18. The non-transitory computer-readable storage medium of claim 13 , wherein the second network path and the attribute are transmitted in a BGP update message to the network devices.
19. The non-transitory computer-readable storage medium of claim 13 , wherein network devices utilize an Intermediate System-to-Intermediate System (ISIS) protocol within the autonomous system.
Unknown
April 26, 2022
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.